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Preface 



This volume contains the proceedings of the 10th International Conference on 
Tools and Algorithms for the Construction and Analysis of Systems (TACAS 
2004). TACAS 2004 took place in Barcelona, Spain, from March 29tlr to April 
2nd, as part of the 7th European Joint Conferences on Theory and Practice of 
Software (ETAPS 2004), whose aims, organization, and history are detailed in 
a foreword by the ETAPS Steering Committee Chair, Jose Luiz Fiadeiro. 

TACAS is a forum for researchers, developers, and users interested in rigo- 
rously based tools for the construction and analysis of systems. The conference 
serves to bridge the gaps between different communities including, but not li- 
mited to, those devoted to formal methods, software and hardware verification, 
static analysis, programming languages, software engineering, real-time systems, 
and communication protocols that share common interests in, and techniques 
for, tool development. In particular, by providing a venue for the discussion of 
common problems, heuristics, algorithms, data structures, and methodologies, 
TACAS aims to support researchers in their quest to improve the utility, relia- 
bility, flexibility, and efficiency of tools for building systems. 

TACAS seeks theoretical papers with a clear link to tool construction, papers 
describing relevant algorithms and practical aspects of their implementation, pa- 
pers giving descriptions of tools and associated methodologies, and case studies 
with a conceptual message. 

The specific topics covered by the conference include, but are not limited to, 
the following: 

— specification and verification techniques, 

— theorem-proving and model-checking, 

— system construction and transformation techniques, 

— static and run-time analysis, 

— compositional and refinement-based methodologies, 

— testing and test-case generation, 

— analytical techniques for real-time, hybrid, and safety-critical systems, 

— tool environments and tool architectures, 

— applications and case studies. 

TACAS accepts two types of contribution: research papers and tool demon- 
stration papers. Research papers are full-length papers covering one or more of 
the topics above, including tool development and case studies from the perspec- 
tive of scientific research. Research papers are evaluated by the TACAS Program 
Committee. Tool demonstration papers are shorter papers that give an overview 
of a particular tool and its application. To stress the importance of tool de- 
monstrations for TACAS, these papers are evaluated and selected by a specific 
member of the TACAS Program Committee who holds the title of Tool Chair. 

In the years since it joined the ETAPS conference federation, TACAS has 
been the largest of the ETAPS member conferences in terms of number of sub- 
missions and papers accepted. TACAS 2004 received a record number of sub- 
missions: 145 research papers and 17 tool demonstration papers were submitted. 
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From the submitted papers, 37 research papers and 6 tool demo papers were 
accepted, yielding an overall acceptance ratio of 26%. Together with 2003 this 
represents the most competitive acceptance rate to date for TACAS (the accep- 
tance rate has never exceeded 36% since TACAS joined ETAPS in 1999). 

To carry out the difficult task of selecting a program from the large number 
of submissions in a fair and competent manner, we were fortunate to have hig- 
hly qualified program committee members from diverse geographic and research 
areas. Each submission was evaluated by at least three reviewers. After a four- 
week reviewing process, the program selection was carried out in a two-week 
online program committee meeting. We believe the result of the committee de- 
liberations was a very strong scientific program. As this year’s invited speaker, 
the program committee selected Antti Valmari, who presented work on program 
verification by means of state spaces. 

In conclusion, successfully organizing and implementing TACAS 2004 as re- 
presented by the proceedings recorded in this volume required significant effort 
by many different people during the past two years. Although it is impossible to 
mention everyone who contributed to TACAS 2004 by name, we would like to 
extend our sincere thanks to the following people: Bernhard Steffen, who served 
as the Tool Chair, the program committee members and additional referees, who 
performed admirably in spite of the high workload assigned to them, Martin Ka- 
russeit (METAFrame, Germany), for his constant and prompt support in dealing 
with the online conference management system, Audrey Rybalchenko (MPI fiir 
Informatik, Germany), who carried out the hard work of preparing the LNCS 
proceedings, Kjelcl Hpyer Mortensen (University of Aarhus, Denmark), for his 
help in preparing the TACAS 2004 website (www.daimi.au.dk/~cpn/tacas04), 
the TACAS Steering Committee, for inviting us to chair TACAS 2004, the 
ETAPS 2004 Organizing Committee, including the committee chair Fernando 
Orejas, and the ETAPS Steering Committee Chair Jose Luiz Fiadeiro for his 
patient guidance and prompting over the course of many months. 
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Foreword 



ETAPS 2004 was the seventh instance of the European Joint Conferences on 
Theory and Practice of Software. ETAPS is an annual federated conference that 
was established in 1998 by combining a number of existing and new conferences. 
This year it comprised five conferences (FOSSACS, FASE, ESOP, CC, TACAS), 
23 satellite workshops, 1 tutorial, and 7 invited lectures (not including those 
that are specific to the satellite events). 

The events that comprise ETAPS address various aspects of the system de- 
velopment process, including specification, design, implementation, analysis and 
improvement. The languages, methodologies and tools that support these ac- 
tivities are all well within its scope. Different blends of theory and practice are 
represented, with an inclination towards theory with a practical motivation on 
the one hand and soundly based practice on the other. Many of the issues invol- 
ved in software design apply to systems in general, including hardware systems, 
and the emphasis on software is not intended to be exclusive. 

ETAPS is a loose confederation in which each event retains its own identity, 
with a separate program committee and independent proceedings. Its format is 
open-ended, allowing it to grow and evolve as time goes by. Contributed talks 
and system demonstrations are in synchronized parallel sessions, with invited 
lectures in plenary sessions. Two of the invited lectures are reserved for “unify- 
ing” talks on topics of interest to the whole range of ETAPS attendees. The 
aim of cramming all this activity into a single one-week meeting is to create a 
strong magnet for academic and industrial researchers working on topics within 
its scope, giving them the opportunity to learn about research in related areas, 
and thereby to foster new and existing links between work in areas that were 
formerly addressed in separate meetings. 

ETAPS 2004 was organized by the LSI Department of the Catalonia Tech- 
nical University (UPC), in cooperation with: 

European Association for Theoretical Computer Science (EATCS) 
European Association for Programming Languages and Systems 
(EAPLS) 

European Association of Software Science and Technology (EASST) 

ACM SIGACT, SIGSOFT and SIGPLAN 

The organizing team comprised 

Jordi Cortadella (Satellite Events), Nikos Mylonakis, Robert Nieuwenhuis, 
Fernando Orejas (Chair), Edelmira Pasarella, Sonia Perez, Elvira Pino, 
Albert Rubio 

and had the assistance of TILES A OPC. 

ETAPS 2004 received generous sponsorship from: 
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UPC, Spanish Ministry of Science and Technology (MCYT), Catalan 
Department for Universities, Research and Information Society (DURSI), 
IBM, Intel. 

Overall planning for ETAPS conferences is the responsibility of its Steering 
Committee, whose current membership is: 

Ratislav Bodik (Berkeley) , Maura Cerioli (Genoa) , Evelyn Duesterwalcl 
(IBM, Yorktown Heights), Hartmut Ehrig (Berlin), Jose Fiadeiro 
(Leicester), Marie-Claude Gaudel (Paris), Andy Gordon (Microsoft Re- 
search, Cambridge), Roberto Gorrieri (Bologna), Nicolas Halbwachs 
(Grenoble), Gurel Hedin (Lund), Kurt Jensen (Aarhus), Paul Klint 
(Amsterdam), Tiziana Margaria (Dortmund), Ugo Montanari (Pisa), 
Hanne Riis Nielson (Copenhagen), Fernando Orejas (Barcelona), Mauro 
Pezze (Milan), Andreas Podelski (Saarbriicken), Mooly Sagiv (Tel Aviv), 
Don Sannella (Edinburgh), Vladimiro Sassone (Sussex), David Schmidt 
(Kansas), Bernhard Steffen (Dortmund), Perdita Stevens (Edinburgh), 
Andrzej Tarlecki (Warsaw), Igor Walukiewicz (Bordeaux), Michel 
Wermelinger (Lisbon) 

I would like to express my sincere gratitude to all of these people and orga- 
nizations, the program committee chairs and PC members of the ETAPS confe- 
rences, the organizers of the satellite events, the speakers themselves, and finally 
Springer- Verlag for agreeing to publish the ETAPS proceedings. This year, the 
number of submissions approached 600, making acceptance rates fall to 25%. I 
congratulate the authors who made it into the final program! I hope that all the 
other authors still found a way of participating in this exciting event and I hope 
you will continue submitting. 

In 2005, ETAPS will be organized by Don Sannella in Edinburgh. You will be 
welcomed by another “local” : my successor as ETAPS Steering Committee Chair 
- Perdita Stevens. My wish is that she will enjoy coordinating the next three 
editions of ETAPS as much as I have. It is not an easy job, in spite of what 
Don assured me when I succeeded him! But it is definitely a very rewarding 
one. One cannot help but feel proud of seeing submission and participation 
records being broken one year after the other, and that the technical program 
reached the levels of quality that we have been witnessing. At the same time, 
interacting with the organizers has been a particularly rich experience. Having 
organized the very first edition of ETAPS in Lisbon in 1998, I knew what they 
were going through, and I can tell you that each of them put his/her heart, soul, 
and an incredible amount of effort into the organization. The result, as we all 
know, was brilliant on all counts! Therefore, my last words are to thank Susanne 
Graf (2002), Andrzej Tarlecki and Pawel Urzyczyn (2003), and Fernando Orejas 
(2004) for the privilege of having worked with them. 



Leicester, January 2004 



Jose Luiz Fiadeiro 
ETAPS Steering Committee Chairman 
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Abstract. This paper provides a stronger result for exploiting positive 
equality in the logic of Equality with Uninterpreted Functions (EUF). 
Positive equality analysis is used to reduce the number of interpreta- 
tions required to check the validity of a formula. We remove the primary 
restriction of the previous approach proposed by Bryant, German and 
Velev [5], where positive equality could be exploited only when all the 
function applications for a function symbol appear in positive context. 
We show that the set of interpretations considered by our analysis of 
positive equality is a subset of the set of interpretations considered by 
the previous approach. The paper investigates the obstacles in exploiting 
the stronger notion of positive equality (called robust positive equality ) in 
a decision procedure and provides a solution for it. We present empirical 
results on some verification benchmarks. 



1 Introduction 

Decision procedures for quantifier-free First-Order Logic (FOL) with equality 
have become an integral part of many formal verification tools. The importance 
of decision procedures lies in automatically validating (or invalidating) formulas 
in the logic. The ability to automatically decide formulas has been the corner- 
stone of several scalable verification approaches. For hardware, Burch and Dill [8] 
have used symbolic simulation with a decision procedure for the quantifier-free 
fragment of FOL to automatically verify complex microprocessor control. Bryant 
et al. [5] have extended their method to successfully verify superscalar proces- 
sors. Recently, Lahiri, Seshia and Bryant [15] have demonstrated the use of 
efficient decision procedures to improve the automation for out-of-order proces- 
sor verification. For software, decision procedures have been used for translation 
validation of compilers [19]. Decision procedures are used extensively for pred- 
icate abstraction in several software verification efforts [2,13]. They have also 
been used for the analysis of other concurrent infinite-state systems. 

Most decision procedures for quantifier-free logic fall roughly into two categories: 
decision procedures based on (i) a Combination of Theories [22,17,3,18] or (ii) 
a validity preserving translation to a Boolean formula [5,19,21,7]. The former 

* This research was supported in part by the Semiconductor Research Corporation, 
Contract RID 1029.001. 
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methods combine the decision procedures for individual theories using Nelson- 
Oppen [17] style of combination. The latter methods translate the first-order 
formula to a Boolean formula such that the Boolean formula is valid if and only 
if the first-order formula is valid. There has also been work in solving first-order 
formulas by using abstraction-refinement based on Boolean Satisfiability (SAT) 
solvers [4,9]. 

Among the decision procedures based on a validity preserving translation to a 
Boolean formula, Bryant et al. [5,5] proposed a technique to exploit the structure 
of equations in a formula to efficiently translate it into a Boolean formula. Their 
method identifies a subset of function symbols in the formula as “p-function” 
symbols, the function symbols which only occur in monotonically positive con- 
texts. The method then restricts the set of interpretations for the function appli- 
cations of p-function symbols for checking the validity of the formula. They have 
successfully used this decision procedure to automatically verify complex micro- 
processors. The method was initially proposed for the Logic of Equality with 
Uninterpreted Functions (EUF) and was later extended for the logic of Counter 
Arithmetic with Lambda Expressions and Uninterpreted Functions (CLU) [7, 
12]. Pnueli et al. [19] use Ackermann’s function elimination method [1] to re- 
move function applications from a formula and allocate ranges for each of the 
variables in the resulting formula, such that the ranges are sufficient for checking 
validity. The technique also exploits the polarity of equations in the formula to 
restrict the range allocation. Rodelr et al. [21] have used the function elimination 
method of Bryant et al. [5] to further restrict the domain size of the variables 
using the algorithm in [19]. The last two decision procedures have been success- 
fully used for validating compiler code automatically. In all the above decision 
procedures [5,19,21], the key idea has been to restrict the set of interpretations, 
by exploiting the polarity of the terms in the formula. 

One of the main limitations of the positive equality analysis of Bryant et al. is 
that it is not robust. For a function symbol / to be a “p-function” symbol, all the 
function applications of f have to appear in monotonically positive equations. 
This makes it difficult to exploit positive equality, even when a small number 
of applications of a function appears in a negative context. This places stronger 
restrictions on the formulas to be decided efficiently and the method has not 
proven effective for benchmarks which display these characteristics [20] . 

In this paper, we present a generalization of positive equality analysis of Bryant, 
German and Velev [5] which allows the decision procedure to exploit positive 
equality in situations where the previous approach could not exploit it. This 
stronger version of positive equality analysis, called robust positive equality, re- 
stricts the interpretations to consider in deciding formulas in EUF to a subset of 
interpretations considered by the previous approach. We show the complexity of 
exploiting robust positive equality in a decision procedure which uses the func- 
tion elimination method proposed by Bryant et al. [5]. We describe a decision 
procedure to exploit this stronger form of positive equality. We present verifica- 
tion benchmarks where this approach reduces the number of interpretations to 
consider by orders of magnitude compared to the previous approach. 
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The rest of the paper is organized as follows: In Section 2, we present Bryant 
et al.’s positive equality analysis. We illustrate the strengths and limitations of 
their approach. In Section 3, we present a generalization of the positive equality 
analysis called robust positive equality analysis. We present the robust maximal 
diversity theorem that allows us to restrict the interpretations to consider to be 
a subset of the interpretations considered by the previous approach. Section 4 
discusses a decision procedure based on robust positive equality. We discuss the 
main complications in exploiting robust positive equality in a decision procedure 
and provide a heuristic which lets us exploit the robust positive equality. In 
Section 5, we compare the effectiveness of the new approach compared to the 
previous work on a set of verification benchmarks. 



2 Background: Positive Equality and Its Limitation 

In earlier work, Bryant et al. [5,5] exploited positive equality in the logic of EUF 
to give a very efficient decision procedure for this fragment. The logic of EUF 
is built from terms and formulas. Terms are formed by function applications 
(e.g. f{x)) or by if-then-else ( ITE ) constructs. The expression ITE(G , Ti, T 2 ) 
selects Ti when G is true, and T 2 otherwise. Formulas are built from predicate 
applications, equations between terms or using the other Boolean connectives (A, 
V, -i). Every function and predicate symbol has an associated arity to denote 
the number of arguments for the function. Function symbols of arity zero are 
called symbolic constants. Similarly, predicate symbols of arity zero are called 
propositional symbolic constants. 

In positive equality analysis, the decision procedure partitions the function sym- 
bols in an EUF formula as p- function symbols and g-function symbols. A function 
symbol / is called a p- function symbol in an EUF formula F [ , if none of the func- 
tion applications of / appear in (i) a negative equation (e.g. f(x ±, . . . , Xk) yf Ti) 
or (ii) in the controlling formula of an if-then-else (ITE) term ( the controlling 
formula of an ITE is implicitly negated when choosing the else branch). All 
function symbols which are not p- function symbols are g-function symbols. 

The semantics of an expression in EUF is defined relative to a non-empty domain 
T> of values and an interpretation /, which assigns values to the function and 
predicate symbols in the formula. An interpretation / assigns a function from 
T> k to T> for each function of arity k and a function from T> k to {true, false} 
for each predicate symbol of arity k. Given an interpretation I, the meaning of 
an expression E is defined as I[E] inductively on the syntactic structure of E. 
A formula F is valid (also called universally valid), if for every interpretation I, 
I[E] = true. 

An interpretation / is called a maximally-diverse interpretation, if for any p- 
function symbol /, I[f(Ui, . . . , [/*,)] = I[g(Si, . . . , S m )] if and only if the fol- 
lowing conditions hold: (i) / and g are the same function symbol and (ii) forall 

1 For simplicity, assume F is in negation normal form where all the negations are 
pushed down towards the leaves of the formula and -i-iG is collapsed to G. 
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1 € [1, . . . , k], I[Ui\ = I[Si]. The main theorem is called the maximal diversity 
theorem 2 , which is given below. 

Theorem 1. Maximal Diversity Theorem. An EUF formula F is valid iff 
F is true in all maximally- diverse interpretations. 

Restricting the set of interpretations to only maximally-diverse interpretations 
for checking validity is very efficient for EUF formulas with large number of 
p-function symbols. For instance, consider the formula: 

-'(x = y) v 

The set of terms in the formula is {x,y,g(x),g(y), f(g(x)), f(g(y))}. Since there 
are 6 terms in the formula, it is sufficient to restrict the domain of each of the 
terms to contain at most 6 values, for checking the validity [1]. Hence, one can 
decide the formula by considering 6® interpretations. However, positive equality 
analysis allows us to restrict the number of combinations to search, to only 2 2 
values, since only two functions x and y (of arity 0) appear in a negative equation. 

However, the main bottleneck of the approach is that it is not robust. Positive 
equality can not be exploited for a function symbol / even if only one application 
of / appears in a negative context. For example, consider the following EUF 
formula: 

F = -(/(*) = *) V (/(/(/(/(*)))) = /(/(/(*)))) (1) 

After exploiting positive equality, the set of p-function symbols would be {} 
and the set of g- function symbols would be {x,f}. This is because both x and 
/ appear in a negative equation, namely -> (f(x) = x) in the formula. Thus the 
number of interpretations to search would be 5 5 = 3125. 

However, one can see that only one application of /, namely fix), appears 
in a negative equation while the other applications, /(/( x)), /(/(/(a;))) and 
f (f (f (f {x)))), appear in positive equations only. In this paper, we present a 
generalization of the positive equality analysis which allows us to exploit the 
positive structure of such applications. Based on the new analysis, it is sufficient 
to consider only 4 interpretations to decide the validity of the formula F, instead 
of the 5' 5 interpretations. Even for this small formula, this reduces the number 
of interpretations to consider 3125/4 = 781 fold ! 

3 Logic of Robust Positive Equality with Uninterpreted 
Functions (RPEUF) 

3.1 Syntax 

Figure 1 gives the syntax of RPEUF 3 . The logic is essentially same as EUF or 
PEUF [5] , but partitions the formulas (respectively, terms) into “p-formulas” and 

2 The definition of maximally-diverse interpretation is slightly different from the orig- 
inal work [5] for simplicity of presentation. 

3 We try to follow the terminology of the original paper by Bryant et al. for the rest 
of the paper, whenever applicable 
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“g- formulas” (respectively, “p-terms” and “g-terms”). Intuitively, a p-formula 
appears in only monotonically positive expressions, i.e. does not appear under 
the scope of negations (->), or in the controlling formulas of ITE expressions. All 
other formulas are g- formulas. The top-level formula can always be classified as a 
p-formula. The p-terms are those terms which never appear in a g-formula. More 
details can be found in [6]. The only difference between PEUF and RPEUF is 
that function symbols are not partitioned as p-function symbols and g-function 
symbols. Instead, each application of functions can either be a p-function appli- 
cation ( p-func-appl ) or a g-function application ( g-func-appl ). Let T P {F) be the 
set of p-term function application terms in a formula F. Similarly, let F g {F) be 
the set of g-term function application terms in a formula F. 



g-term 

p-term 

g-formula 



p-formula 



ITE{g- formula, g-term, g-term ) 
g-func-appl{p-term, . . . , p-term) 
g-term \ ITE{g- formula, p-term, p-term) 
p-func-appl(p-term, . . . , p-term) 
true | false | -ig-formula | ( g-term = g-term) 
{g-formula V g-formula) \ {g-formula A g-formula) 
predicate-symbol{p-term, . . . , p-term) 
g-formula \ {p-term = p-term) 

{p-formula V p-formula) \ {p-formula A p-formula) 



Fig. 1 . Syntax for RPEUF 



For any RPEUF formula F , we define E(F) to be the set of function symbols 
in F. For a function application term T, top-symbol{T) returns the top-level 
function symbol for the term T. 



3.2 Diverse Interpretations 

The semantics of an expression in RPEUF is defined in a similar manner as 
defined in Section 2. The domain T> is kept implicit for most of our purposes 
and we assume it to be the underlying domain. An interpretation defines a 
partitioning of the terms in the formula, where two terms belong to the same 
equivalence class if and only if they are assigned the same value. Interpretation 
I refines {properly refines ) interpretation I', if I refines (properly refines) the 
equivalence classes induced by I'. 

Given an interpretation I, function application terms T\ = f{U\, . . . , .Uk) and 
T -2 = /(Si, . . • , Sk) are said to argumentMatch under I, if for all j € [1, . . . , fc], 
I[Uj] = I[Sj}. It is not defined when T) and T 2 have different top-level function 
symbols. 
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Robust Maximally Diverse Interpretation. An interpretation I is said to 
be robust maximally diverse if I satisfies the following property: 

— For every term T± = f(U\, . . . , U k ) £ T P (F ), which does not argumentMatch 
under / with any term f(Si...S k ) £ T g (F), and for any other function 
application term T 2 , 1[T i] = I[T 2 \, iff (i) T 2 = /(Vi, . . . , V k ), and (ii) I[U m ] = 
I[V m }, for all m £ [1 . . . fc]. 



Example. Consider the formula in Equation 1. The interpretation Consider 
the formula in Equation 1. Let us assume (shown a little later in Section 4.1), 
the set T P (F) = {/(/(x)), /(/(/(x))), /(/(/(/(x))))}, the set of positive ap- 
plications. The set T g (F) becomes (x, /(x)}. The interpretation I = {x 
1, /( 1) i->- 2, /( 2) 3, /( 3) i-)- 4} is an example of a robust maximally di- 

verse interpretation. In this interpretation, I[f{x)] = 2,/[/(/(x))] = 3 and 
/[/(/(/(x)))] = 4. Similarly, the interpretation I = (x i-» 1, /( 1) i-»- 2, /( 2) >->• 2} 
is a robust maximally diverse interpretations. However, the interpretation I = 
(x i — ^ 1,/(1) i — ^ 2, /(2) i — ^ 1} is not a robust maximally diverse interpretation 
since J[x] = /[/(/(x))] = 1. But /(/(x)) is a p-term, whose argument I[f{x)\ = 2 
does not match the argument of the g-term /(x), since I[x\ = 1. 

Theorem 2. Robust Maximal Diversity Theorem. A p- formula F is uni- 
versally valid iff F is true in all robust maximally diverse interpretations. 

The theorem allows us to restrict ourselves to only those interpretations which 
are robust maximally diverse. We will show later that in many cases, this prunes 
away a very large portion of the search space. The proof is very similar to the 
one presented for the maximal diversity theorem [6] and can be found in the 
extended version [14]. 

The following lemma establishes the correspondence between the maximally di- 
verse interpretations and the robust maximally diverse interpretations. 

Proposition 1. If an interpretation I is a robust maximally diverse interpre- 
tation, then I is a maximally diverse interpretation. 

This follows from the fact, that for a “p-function” symbol /, a p-term T) = 
f{U\,... ,U k ) never argumentMatch with a g-term T 2 = f(V i,... , V k ), since 
there are no g-terms for a “p-function” symbol /. Thus the set of robust max- 
imally diverse interpretations is a subset of the set of maximally diverse inter- 
pretation set. 



4 Decision Procedure for Robust Positive Equality 



In this section, we present a decision procedure for exploiting robust positive 
equality. The essence of the decision procedure is similar to the decision proce- 
dure proposed by Bryant, German and Velev. But there are important differences 
which makes the procedure more complicated. 
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4.1 Extracting a RPEUF from EUF 

Given a EUF formula F, one might try to label the terms and formulas as g- 
terms, p-terms, p-formulas, g-formulas by the syntax in Figure 1. But the choice 
of “promoting” g-terms and g-formulas to p-terms and p-formulas makes the 
grammar ambiguous. Thus the first step is to use a labeling scheme to mark the 
different expressions in the formula F. 

For a given EUF formula F, let Cf be a labeling function. If F(F) and Q{F) be 
the set of terms and formulas in F, then Cp satisfies the following conditions: 

— If T £ T(F), then Cf{T) £ {g-term, p-term} 

— If G £ G(F), then Cp(G) £ {g-formula, p-formula} 

— This labeling is permitted by the syntax 

A natural labeling function C* F [6] is to label the formulas which never appear 
under an odd number of negations and does not appear as a control for any 
ITE node, as p-formula. All other formulas are labeled as g-formula. Once the 
formulas are labeled, label a term as p-term if it never appears in an equation 
labeled as g-formula. All other terms are marked g-term. 



4.2 Topological Ordering of Terms 

Once we have labeled all the terms in a formula F as either a p-term or a g- 
term, we will define a topological order A, for visiting the terms. A topological 
order preserves the property that if T\ is a subterm of T 2 in the formula F, then 
Ti A T- 2 - There can be many topological orders for the same formula. 

Given a topological order A, consider the terms that have been “labeled” by 
C(F). We will partition the terms into T+(F), 77(F) and Tf)(F) as follows: 
For any term T £ T{F): 

- T £ 77(F) iff C(T) = g-term 

- T £ Tf)(F) iff C(T) = p-term and there exists Tf £ 77 ( F ) such that T A Tf 
and top-symbol(T) = top-symbol(Ti) . 

- T £ 77(F) iff T i 77(F) and T (f 77(F). 

Intuitively, the terms in 77 (F) are those terms which precede a negative applica- 
tion with the same top-level function symbol. We label some terms as members 
of 77 (F) because the function elimination scheme (based on Bryant et al.’s 
method) eliminates function applications in a topological order. Hence we need 
to process all the subterms before processing a term. 

For example, consider the formula in Equation 1. There are 5 terms in the for- 
mula: x, fix), /(/( x)), f(f(f(x))), /(/(/(/( x)))). The labeling scheme labels 
the terms x, f(x) as g-term and the terms f(f(x)),f(f(f(x))),f(f(f(f(x)))) 
as p-term. The only topological ordering on this set of terms is a: A f(x) A 
f{f{x)) A /(/(/(: r))) A f {f {f {f (x)))). Given this topological order, the parti- 
tioning results in the following sets 
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- 77 OF) = {*,/(*)}, 73(F) = {} and 

n(F) = {/(/(*)),/(/(/(*))),/(/(/(/(*))))}. 

However, consider the following formula: 

F=^(f(g(x)) = g(f(x))) (2) 

There are 5 terms in the formula: x, fix), g{x), f(g(x)) and g{f{x)). The label- 
ing labels f(g(x)),g(f(x)) as g-term and x, f(x),g(x) as p-term. Three possible 
topological orderings on this set of terms are: 

1 - x ^ f(x) A g(x) ^ f(g(x)) ^ g(f(x)), or 

2. X A f ix) A g(f(x)) A g(x) A f (g(x)), or 

3. x ^ g(x) A f(g(xj) A f (x) A g(f(x)) 

Given these topological order, the partitioning results in the following sets for 
the three orders, respectively: 

1- TO" OF) = {f(g(x)),g(f(x))}, 73(F) = {f(x),g(x)} and Tjf(F) = {x}. 

2. T^(F) = {f(g(x)),g(f(x))}, 73 (F) = {/(*)} and 7^(F) = {x,g(x)}. 

3- 7;- (F) = {f(g(x)),g(f(x))}, 73 (F) = {g(x)} and Tj(F) = {*,/(*)}. 

The example in Equation 2 illustrates several interesting points. First, even 
though fix) and g(x) are both labeled as p-term, there is no ordering of terms 
such all the g-term with the top-level symbol / and g precede these two terms. 
Note that this limits us from exploiting the full power of Theorem 2. Second, the 
topological ordering can affect the size of the set T^(F). The bigger the size of 
this set, the better the encoding is. Hence, we would like to find the topological 
ordering which maximizes the size of 7^" (F) . 



4.3 Maximizing T+ (F) 

The problem of obtaining the optimal which maximizes the size of T+{F), 
turns out to be NP-complete. In this section, we reduce the problem of maximum 
independent set for an undirected graph to our problem. 

Let us first pose the problem as a decision problem — is there an ordering ■< for 
which the number of terms in T+(F) is at least k ? Given an ordering yb it is 
easy to find out the number of terms in 7 3"(F) in polynomial time, hence the 
problem is in NP. 

To show that the problem is NP-complete, consider a undirected graph G = 
(V,E), with V as the set of vertices and E as the set of edges. Construct a 
labeled and polar directed acyclic graph (DAG) D = { V',E '), where each vertex 
v € V' is a tuple ( n v ,l v ,p v ), where n v is the vertex identifier, l v is a label 
of the vertex, and p v is the polarity of the vertex. The label of a vertex is a 
function symbol, and the polarity of a vertex can either be (-) negative or (+) 
non-negative. It is easy to see that the vertices of D represent the terms in a 




